Layer7 API Management

Expand all | Collapse all

Generate ID Token Assertion

Jump to Best Answer
  • 1.  Generate ID Token Assertion

    Posted 07-27-2017 02:40 PM

    I am trying to use this assertion to create an ID token as JSON message but having some difficulties.

    I was able to figure out most of the fields except these:


    sub - This is not super important for me

    exp - This is what causing me pain. Document says "Enter the expiration date in seconds since 01.01.1970-00:00:00"

    This is epoch format. How do I set this field with an expiration time of 15 mins for each token generated but at diff times?


    There is no OAuth so the optional stuff doesn't apply for this use case.

  • 2.  Re: Generate ID Token Assertion

    Posted 07-27-2017 05:34 PM

    You can somewhat achieve this through using Xpath to do mathematical calculations.


    I am attaching a policy in which I take in ${request.time.seconds} and add 900 seconds to that value. Sadly the Xpath output is in scientific notation, so there is an extra RegEx to remove that notation. You should be able to copy or use this same policy logic to prepare a value to put inside the "exp" field.


    <?xml version="1.0" encoding="UTF-8"?>
    <wsp:Policy xmlns:L7p="" xmlns:wsp="">
        <wsp:All wsp:Usage="Required">
                <L7p:Base64Expression stringValue="PGEvPg=="/>
                <L7p:ContentType stringValue="text/xml; charset=utf-8"/>
                <L7p:DataType variableDataType="message"/>
                <L7p:VariableToSet stringValue="dummyXml"/>
                <L7p:Base64Expression stringValue="JHtyZXF1ZXN0LnRpbWUuc2Vjb25kc30="/>
                <L7p:VariableToSet stringValue="total"/>
                <L7p:AssertionComment assertionComment="included">
                    <L7p:Properties mapValue="included">
                            <L7p:key stringValue="RIGHT.COMMENT"/>
                            <L7p:value stringValue="Size of the xml portion of the message."/>
                <L7p:Base64Expression stringValue="OTAw"/>
                <L7p:VariableToSet stringValue="xmlSize"/>
                <L7p:VariablePrefix stringValue=""/>
                <L7p:XmlMsgSrc stringValue="dummyXml"/>
                <L7p:XpathExpression xpathExpressionValue="included">
                    <L7p:Expression stringValue="$total + $xmlSize"/>
                    <L7p:Namespaces mapValue="included">
                            <L7p:key stringValue="s"/>
                            <L7p:value stringValue=""/>
                    <L7p:XpathVersion xpathVersion="XPATH_1_0"/>
                <L7p:AutoTarget booleanValue="false"/>
                <L7p:OtherTargetMessageVariable stringValue="responseXpath.result"/>
                <L7p:Regex stringValue="\.|E9"/>
                <L7p:RegexName stringValue="nodot"/>
                <L7p:Replace booleanValue="true"/>
                <L7p:Replacement stringValue=""/>
                <L7p:Target target="OTHER"/>
                <L7p:Base64ResponseBody stringValue="UmVxdWVzdCBUaW1lID0gJHt0b3RhbH0gKyAke3htbFNpemV9CgpSZXN1bHQgPSAke3Jlc3BvbnNlWHBhdGgucmVzdWx0fQ=="/>
                <L7p:ResponseContentType stringValue="text/plain; charset=UTF-8"/>

  • 3.  Re: Generate ID Token Assertion

    Posted 07-27-2017 06:03 PM

    I was not aware you can do this much easier just in the Date/Time Context Variable assertion mentioned below by Barry Stern. Follow that method as it's much simpler.

  • 4.  Re: Generate ID Token Assertion

    Posted 07-27-2017 05:48 PM

    For exp you can create a context variable  with a name  like exp of type date/time with the time offset to 900 seconds or 15 minutes.  Then in the generate id token  assertion set the value for expiration at ${exp.seconds}


    This is how the OTK does it.



  • 5.  Re: Generate ID Token Assertion

    Posted 07-28-2017 06:37 AM

    I tried the same initially before posting my question here. Looks like Generate ID Token needs timestamp un epoch format.  Errors out like this --> Assertion 'Generate ID Token'; The claim 'exp' is not a valid 10-digit unix-timestamp: ''


    The format field for date/time is set to 'Auto" ..should it be something else?

  • 6.  Re: Generate ID Token Assertion

    Posted 07-28-2017 10:38 AM

    The format should be "second timestamp" and it should work.

  • 7.  Re: Generate ID Token Assertion
    Best Answer

    Posted 07-28-2017 11:08 AM

    OTK image


    Incase you still have issue here is a snapshot of the OTK context variable this is from the "OTK id_token Generation - HS256" Encapsulated assertion. 



  • 8.  Re: Generate ID Token Assertion

    Posted 07-28-2017 10:57 PM

    Thanks Barry. That worked.